The epiLab-SS secure service has recently been notified that it has successfully achieved “Level 2” compliance to the NHS information governance toolkit. This toolkit, based on the ISO-27001 information security standard, is a standardised assurance process that is mandated for all NHS organisations. Universities and other academic research groups have recently been required to adopt the toolkit to address aspects of personal information handling, in particular where access to unconsented identifiable datasets. More information on the epiLab-SS compliance can be found at the following link.
The value of information
Academic research involves the collection and management of information from disparate sources to build upon or refine a body of knowledge. Although research in itself should have some intrinsic value to society, the costs of the associated activities can also be considerable. These cost are not merely financial since they also involve time and effort as well as potential ethical compromises “for the greater good”, as in animal experimentation or placebo-controlled trials.
Since research is costly then it follows that the component parts that are derived from or support this activity must be of value. In everyday life most people understand the need to protect valuables and typically carry out their own personal risk assessment to determine how to secure their own possessions; in many cases locking doors, shredding papers or employing trusted third-party services. Generally, this is done without consciously thinking about the process, adopting societal norms (or ‘standards’) in respect of most security-related decisions.
Organizations are not individuals, and cannot carry out this instinctive risk assessment without a helping hand from some man-made constructs. James Reason, in his 2000 BMJ article “Human error: models and management” elegantly describes the need to apply a System Approach, based on the assumption of the inevitability of human error and the need to adapt the conditions within which humans work rather than embarking on futile attempts to change the human condition.
“When an adverse event occurs, the important issue is not who blundered, but how and why the defences failed.” Reason, J (2000)
Just as Reason’s paper has fundamentally affected our approach to risk management in UK healthcare, so it should also highlight the wider issues in relation to the risk of information security incidents in all aspects of the research data life-cycle. It clearly articulates the rationale for well understood standards to support information security, what would commonly referred to as an Information Security Management System (ISMS).
A standard for Information Security (ISO-27001)
Although it is perfectly reasonable to attempt to implement an ISMS without reference to existing standards it is highly desirable to do so. A standard provides a well-established framework drawn from past experience (and mistakes) of others. More importantly, Standards offer reference points against which systems may be benchmarked and audited. Although it is not possible to measure security, it is possible to measure conformance to a prescribed standard. By adopting a suitable information security standard and being audited successfully against this it is possible to assure others that appropriate controls with associated governance are in place within an organization.
The internationally recognized information security standard is called ISO-27001 and forms the ‘requirements’ of an ISMS. Each of these requirements specifies things that ‘shall’ be done. ISO-27002 is the associated Code of Practice for information security management  which describes what ‘should’ be done to implement the standard. The subtle distinction is that this second document simply provides recommendations for implementation of an ISO-27001 compliant ISMS.
ISO-27001 provides a taxonomy of 138 security controls plus an introductory clause introducing risk assessment and treatment. Each of the security categories contains one or more controls that are designed to meet the control objective. The controls that are described within the standard are not an exhaustive list and, depending on the results of risk assessment, not all controls will be required for a given ISMS.
Properties of an ISO-27001 ISMS
Any meaningful discussion of information security must begin with a simple question: ‘what are we seeking to secure?’ Although this may seem to be a trivial statement it is actually of fundamental importance in that the scope of the system must be defined, in other words the boundaries must be clearly described for the information to be secured.
The development of an ISMS that complies with the complete ISO-27001 standard is a major challenge for any organization and success depends clearly defining the scope of such a system; too small and the process is rarely cost-effective but too large and it may be unachievable. In practice, an initial high-level risk assessment and cost benefit analysis should help to identify the appropriate focus for such a system.
The cornerstone of an ISMS is effective risk assessment. Risk assessments are difficult to carry out and there is no silver bullet. The key point is that risk assessment is part of an on-going process of continuous improvement. In basic terms there are a series of steps that need to be followed.
- Identify the information assets that need to be protected.
- Identify any vulnerabilities that relate to these assets
- Identify threats that need to be guarded against.
- Estimate the likelihood of threats exploiting vulnerabilities (otherwise known as risks)
To be systematic you need to define a threshold level of ‘acceptable risk’ above which additional controls will be required.
The ISO 27000 series documents provide a taxonomy of 138 control that are appropriate along with guidance on their implementation. A key facet of all controls is that they need to be owned by someone (i.e. a responsible party or organization) and it should be possible to define means by which the effectiveness of each control may be assured and audited. The list of 138 controls is not intended to be exhaustive and it’s important to consider additional controls, if required, that are not explicitly referred to in the standard.
Statement of Applicability (SoA)
ISO-27001 prescribes the creation of a summary document that itemizes all of the 138 controls plus any additional controls and clearly states whether each control has been selected with reference to where evidence of the control can be found. Where controls have not been selected there should be clearly stated reasons for this. The SoA acts as a summary reference document that, taken in conjunction with the Scope Statement, should provide an auditor with a high-level view of an ISMS.
Like many similar management systems, an ISMS is dynamic and should follow the plan-do-check-act cycle (also known as the Deming Cycle). Made popular by Dr W. Edwards Deming, the father of modern quality control, the approach involves a process of continuous improvement through multiple iterations. It is worth noting that other management system standards, like ISO-9001, apply similar cyclical process models, and a suitably-designed ISMS should be able to accommodate many of the requirements of these other systems.
The standard outlines the requirements of each of these four steps in the cycle within concisely within just four pages before going on to provide requirements for:
- Documentation (including document and record control)
- Management responsibility in respect of their own commitment, provision of resources and programmes of training and awareness.
- Internal audit
- Management review
- Continuous Improvement, including corrective and preventive action
In practice, the dynamic aspect of the management of an ISMS is often the most difficult part to get right but this is where the iterative technique allows for successive improvement over time.
1. Reason J: Human error: models and management. BMJ 2000, 320(7237):768-770.
2. BSI: Information technology. Security techniques. Information security management systems. Requirements. In: BS ISO/IEC 27001:2005/BS 7799-2:2005. Edited by IST/33: BSI; 2005.
3. BSI: Information technology. Security techniques. Code of practice for information security management. In: BS ISO/IEC 27002:2005, BS 7799-1:2005,BS ISO/IEC 17799:2005. Edited by IST/33: BSI; 2005.
On Friday 28th September 2012 the epiLab-SS secure research environment passed its Stage 2 assessment as meeting the requirements of the ISO-27001 standard for Information Security. The resulting certificate, due to be formally issued by LRQA within weeks, is the result of rigorous third-party audit of the epiLab-SS Information Security Management System (ISMS). The auditor followed up his initial (Stage 1) assessment of the structural elements of the ISMS to examine in more detail the dynamic functional elements of the system and its wider context within UCL, involving interviews with a range of senior management personnel.
A critically important element in the process involved the demonstration that the ISMS design had been adapted to meet the needs of the domain of epidemiology research, handling personal identifiable and sensitive data safely and securely. Our application of data management plans as a mechanism for assuring engagement of researchers with the ISMS has proved to be invaluable in this respect. These plans have allowed researchers to clearly enumerate all information assets and highlight concerns, vulnerabilities and legal obligations at key stages during their use of the service.
This achievement is highly significant since it demonstrates an effective and cost-efficient approach to provision of secure data handling services within an academic context and means that UCL has become one of the few academic institutions in the UK to provide independent assurance of information security provision for research datasets. We have been able to implement a secure private cloud-based service, using an accredited UK government G-Cloud data centre (AIMES Grid Services CIC Ltd) with end-to-end ISO-27001 certification.